mdw@git.distorted.org.uk Git - firewall/blob - fender.m4

   1 ### -*-sh-*-
   2 ###
   3 ### Firewall configuration for fender actual
   4 ###
   5 ### (c) 2008 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### fender-specific rules.
  26
  27 m4_divert(86)m4_dnl
  28 ## Externally visible services.
  29 allowservices inbound tcp \
  30         ssh \
  31         ident
  32
  33 ## We have to provide NTP service.  The guests sync to our clock.
  34 ntpclient inbound $ntp_servers
  35
  36 ## Provide NTP service to untrusted clients.
  37 run ip46tables -A inbound-untrusted -p udp -j ACCEPT \
  38           --source-port 123 --destination-port 123
  39
  40 ## Guaranteed black hole.  Put this at the very front of the chain.
  41 run iptables -I INPUT -d 217.169.12.78 -j DROP
  42 run ip6tables -I INPUT -d 2001:8b0:c92:fff::ffff -j DROP
  43
  44 ## Ethernet bridge-level filtering for source addresses.
  45 run ebtables -F
  46 for i in log limit ip ip6; do run modprobe ebt-$i; done
  47
  48 for c in bad-source-addr check-eth0 bcp38 check-bcp38; do
  49   run ebtables -X $c >/dev/null 2>&1 || :
  50 done
  51
  52 for ch in bad-source-addr bcp38; do
  53   run ebtables -N $ch
  54   run ebtables -A $ch \
  55           --limit 20/second --limit-burst 100 \
  56           --log-prefix "fw: $ch(br)" --log-ip --log-ip6
  57   run ebtables -A $ch -j DROP
  58 done
  59
  60 run ebtables -N check-bcp38
  61 run ebtables -A check-bcp38 -j RETURN -p ip --ip-source 81.187.238.128/28
  62 run ebtables -A check-bcp38 -j RETURN -p ip --ip-source 217.169.12.64/28
  63 run ebtables -A check-bcp38 -j bcp38 -p ip
  64 run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:8b0:c92::/48
  65 run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:1d9::/48
  66 run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source fe80::/10
  67 run ebtables -A check-bcp38 -j bcp38 -p ip6
  68 run ebtables -A FORWARD -j check-bcp38 -o br-dmz
  69
  70 ## There's a hideous bug in Linux 3.2.51-1's ebtables: for some reason it
  71 ## misparses (at least) locally originated multicast packets, and tries to
  72 ## extract IP header fields relative to the start of the Ethernet frame.  The
  73 ## result is obviously a hideous mess.  Don't try to do BCP38 checking for
  74 ## locally originated packets until this is fixed.
  75 ##run ebtables -A OUTPUT -j check-bcp38 -o bond0
  76
  77 m4_divert(-1)
  78 ###----- That's all, folks --------------------------------------------------